Venom Hypervisor Vulnerability

Crowdstrike published details today about a critical vulnerability that they discovered in a number of virtualization hypervisors: KVM, QEMU and Xen. The vulnerability CVE-2015-3456, called “Venom” by Crowdstrike, is in the floppy disk driver. It allows the guest operating system running under the hypervisor to break out of the hypervisor and get access to the host operating system. This is one of the worst classes of vulnerabilities in virtualization, since from there the attacker can infect other guest operating systems, or try to get into other host systems in typical lateral growth fashion. There is no patch that can be applied at the guest level, i.e. the level that you typically control. The problem has to be fixed at the host level, which is typically controlled by a service provider, external or internal.

Mitigation

Talk to your service provider asap if you are running guest systems under Xen, KVM or QEMU. Patches from RedHat for KVM, the Xen project for Xen and QEMU have been published. There are no known exploits for the vulnerability, i.e. this is not a 0-day, but since the code is openly available it will be easy for attackers to reverse-engineer the vulnerability and come up with an exploit. You need to address this rather quickly – a good inventory of your virtualized infrastructure certainly helps.

In addition there might be uses of virtualization in appliances that you have installed. If an attacker can run code on these appliances it would be useful to inquire for patches on that level as well.

By the way, VMware, Hyper-V, Linode and Amazon AWS are not affected.

Qualys Detections

Internally you can use Qualys to scan for the vulnerability. We are covering it with QIDs 115078, 115079, 115080 and 115081 for the applicable versions of Red Hat Linux. These QIDs are authenticated checks that look into the installed versions of software. An active check would have to exercise the vulnerability in the floppy driver and most likely cause a system wide crash.

More to Come?

Virtualization adds an additional layer to our software stack. That layer is bound to have its own problems. I remember talking to a security researcher about the USB stack inside of the virtualization products, and he was finding plenty of vulnerabilities with a relatively simple fuzzer. Maybe virtualization’s time has come to get into a similar audit as OpenSSL last year. What do you think?

As this is a virulent and deep seated vuln within the web tier, can you please detail how Qualys will search the layers for this vuln? I am being asked by the executives over here that want me to explain to us how the Qualys External Enterprise tool will detect this, step by step. I am struggling on determining how to do this, and at this time I cannot speak to it intelligently if asked by execs or in front of execs. Can you help?